Xen Dom0, are we making progress?
tom at tomjudge.com
Tue Mar 13 10:46:49 UTC 2007
Nikolas Britton wrote:
> On 3/12/07, Andras Gót <andrej at antiszoc.hu> wrote:
>> Nikolas Britton wrote:
>> > On 3/12/07, Ronald Klop <ronald-freebsd8 at klop.yi.org> wrote:
>> >> On Mon, 12 Mar 2007 20:16:32 +0100, Nikolas Britton
>> >> <nikolas.britton at gmail.com> wrote:
>> >> > Is FreeBSD making any progress in Xen Dom0 / Intel VT support? I'd
>> >> > really like to consolidate some underutilized FreeBSD servers. Are
>> >> > their any alternative solutions that will enable me to do this
>> kind of
>> >> > stuff with FreeBSD, or would it be better to go with Solaris Dom0 +
>> >> > FreeBSD DomU?
>> >> http://docs.freebsd.org/44doc/papers/jail/jail.html
>> >> google: jail freebsd
>> > Yes I'd like to know more about jails, is there a high level /
>> > executive summary type document that I can read somewhere? From what I
>> > remember jails are mostly designed to partition stuff... for security
>> > reasons.
>> > What I'd really love to do is split up each service (httpd, postgres,
>> > samba/nfs, ldap/nis, asterisk, etc.) into discrete virtual machines.
>> > It's too much work trying to make them all play nice on one system,
>> > especially during upgrades. As it is right now I don't upgrade any
>> > services once a system is in production use.
>> For first read man jail. :) Apache, bind, mysql and postfix run fine in
>> a jail. For postgres you've to turn on the jail.ipc.
>> This is basicly not so bad, but definitely reduces security. For
>> samba/nfs/ldap/nis and asterisk I don't have the experience, but if they
>> not need ipc, they'll run fine out of the box. In jails I suggest that
>> you mount your ports tree with some nullfs mount. With this you'll save
>> some hd capacity. (The installed port list is in /var, not in
>> /usr/ports.) In jails you can't do resource control, so keep that in
> Is their anyway to transfer jails on the fly between systems... For
> example, say I wanted to transfer the http service to a more powerful
> box because load was too high, can you do stuff like this?
You could export the jail file system via nfs, or use some other form of
shared storage to share the file system. I have seen systems that put
the jail IP address onto the loop back interface and then use OSPF to
advertise the service to your border routers. If your storage subsystem
supports if (NFS will) you can have both jails up and running at the
same time and then just change the routing advertisements to move the
Just an idea, I have never tried it, but I did see some fail over
project that used the methods above. The project advertised the fact
that not only can you move services between hosts but also you can move
them between physical sites if your routers all run ospf.
More information about the freebsd-stable